mirror of
https://github.com/Dokploy/dokploy.git
synced 2026-07-03 13:05:23 +02:00
feat(docker): Build-time Secrets
This commit is contained in:
@@ -80,6 +80,7 @@ export const applications = pgTable("application", {
|
||||
previewEnv: text("previewEnv"),
|
||||
watchPaths: text("watchPaths").array(),
|
||||
previewBuildArgs: text("previewBuildArgs"),
|
||||
previewBuildSecrets: text("previewBuildSecrets"),
|
||||
previewLabels: text("previewLabels").array(),
|
||||
previewWildcard: text("previewWildcard"),
|
||||
previewPort: integer("previewPort").default(3000),
|
||||
@@ -99,6 +100,7 @@ export const applications = pgTable("application", {
|
||||
).default(true),
|
||||
rollbackActive: boolean("rollbackActive").default(false),
|
||||
buildArgs: text("buildArgs"),
|
||||
buildSecrets: text("buildSecrets"),
|
||||
memoryReservation: text("memoryReservation"),
|
||||
memoryLimit: text("memoryLimit"),
|
||||
cpuReservation: text("cpuReservation"),
|
||||
@@ -252,6 +254,7 @@ const createSchema = createInsertSchema(applications, {
|
||||
autoDeploy: z.boolean(),
|
||||
env: z.string().optional(),
|
||||
buildArgs: z.string().optional(),
|
||||
buildSecrets: z.string().optional(),
|
||||
name: z.string().min(1),
|
||||
description: z.string().optional(),
|
||||
memoryReservation: z.string().optional(),
|
||||
@@ -303,6 +306,7 @@ const createSchema = createInsertSchema(applications, {
|
||||
previewPort: z.number().optional(),
|
||||
previewEnv: z.string().optional(),
|
||||
previewBuildArgs: z.string().optional(),
|
||||
previewBuildSecrets: z.string().optional(),
|
||||
previewWildcard: z.string().optional(),
|
||||
previewLimit: z.number().optional(),
|
||||
previewHttps: z.boolean().optional(),
|
||||
@@ -456,6 +460,7 @@ export const apiSaveEnvironmentVariables = createSchema
|
||||
applicationId: true,
|
||||
env: true,
|
||||
buildArgs: true,
|
||||
buildSecrets: true,
|
||||
})
|
||||
.required();
|
||||
|
||||
|
||||
@@ -473,6 +473,7 @@ export const deployPreviewApplication = async ({
|
||||
application.appName = previewDeployment.appName;
|
||||
application.env = `${application.previewEnv}\nDOKPLOY_DEPLOY_URL=${previewDeployment?.domain?.host}`;
|
||||
application.buildArgs = application.previewBuildArgs;
|
||||
application.buildSecrets = application.previewBuildSecrets;
|
||||
|
||||
if (application.sourceType === "github") {
|
||||
await cloneGithubRepository({
|
||||
@@ -580,6 +581,7 @@ export const deployRemotePreviewApplication = async ({
|
||||
application.appName = previewDeployment.appName;
|
||||
application.env = `${application.previewEnv}\nDOKPLOY_DEPLOY_URL=${previewDeployment?.domain?.host}`;
|
||||
application.buildArgs = application.previewBuildArgs;
|
||||
application.buildSecrets = application.previewBuildSecrets;
|
||||
|
||||
if (application.serverId) {
|
||||
let command = "set -e;";
|
||||
|
||||
@@ -1,5 +1,8 @@
|
||||
import type { WriteStream } from "node:fs";
|
||||
import { prepareEnvironmentVariables } from "@dokploy/server/utils/docker/utils";
|
||||
import {
|
||||
getEnviromentVariablesObject,
|
||||
prepareEnvironmentVariables,
|
||||
} from "@dokploy/server/utils/docker/utils";
|
||||
import {
|
||||
getBuildAppDirectory,
|
||||
getDockerContextPath,
|
||||
@@ -17,6 +20,7 @@ export const buildCustomDocker = async (
|
||||
env,
|
||||
publishDirectory,
|
||||
buildArgs,
|
||||
buildSecrets,
|
||||
dockerBuildStage,
|
||||
cleanCache,
|
||||
} = application;
|
||||
@@ -26,11 +30,6 @@ export const buildCustomDocker = async (
|
||||
|
||||
const defaultContextPath =
|
||||
dockerFilePath.substring(0, dockerFilePath.lastIndexOf("/") + 1) || ".";
|
||||
const args = prepareEnvironmentVariables(
|
||||
buildArgs,
|
||||
application.environment.project.env,
|
||||
application.environment.env,
|
||||
);
|
||||
|
||||
const dockerContextPath = getDockerContextPath(application);
|
||||
|
||||
@@ -44,9 +43,29 @@ export const buildCustomDocker = async (
|
||||
commandArgs.push("--target", dockerBuildStage);
|
||||
}
|
||||
|
||||
const args = prepareEnvironmentVariables(
|
||||
buildArgs,
|
||||
application.environment.project.env,
|
||||
application.environment.env,
|
||||
);
|
||||
|
||||
for (const arg of args) {
|
||||
commandArgs.push("--build-arg", arg);
|
||||
}
|
||||
|
||||
const secrets = getEnviromentVariablesObject(
|
||||
buildSecrets,
|
||||
application.environment.project.env,
|
||||
application.environment.env,
|
||||
);
|
||||
|
||||
for (const key in secrets) {
|
||||
// Although buildx is smart enough to know we may be referring to an environment variable name,
|
||||
// we still make sure it doesn't fall back to type=file.
|
||||
// See: https://docs.docker.com/reference/cli/docker/buildx/build/#secret
|
||||
commandArgs.push("--secret", `type=env,id=${key}`);
|
||||
}
|
||||
|
||||
/*
|
||||
Do not generate an environment file when publishDirectory is specified,
|
||||
as it could be publicly exposed.
|
||||
@@ -70,6 +89,10 @@ export const buildCustomDocker = async (
|
||||
},
|
||||
{
|
||||
cwd: dockerContextPath || defaultContextPath,
|
||||
env: {
|
||||
...process.env,
|
||||
...secrets,
|
||||
},
|
||||
},
|
||||
);
|
||||
} catch (error) {
|
||||
@@ -86,6 +109,7 @@ export const getDockerCommand = (
|
||||
env,
|
||||
publishDirectory,
|
||||
buildArgs,
|
||||
buildSecrets,
|
||||
dockerBuildStage,
|
||||
cleanCache,
|
||||
} = application;
|
||||
@@ -96,11 +120,6 @@ export const getDockerCommand = (
|
||||
|
||||
const defaultContextPath =
|
||||
dockerFilePath.substring(0, dockerFilePath.lastIndexOf("/") + 1) || ".";
|
||||
const args = prepareEnvironmentVariables(
|
||||
buildArgs,
|
||||
application.environment.project.env,
|
||||
application.environment.env,
|
||||
);
|
||||
|
||||
const dockerContextPath =
|
||||
getDockerContextPath(application) || defaultContextPath;
|
||||
@@ -115,10 +134,33 @@ export const getDockerCommand = (
|
||||
commandArgs.push("--no-cache");
|
||||
}
|
||||
|
||||
const args = prepareEnvironmentVariables(
|
||||
buildArgs,
|
||||
application.environment.project.env,
|
||||
application.environment.env,
|
||||
);
|
||||
|
||||
for (const arg of args) {
|
||||
commandArgs.push("--build-arg", `'${arg}'`);
|
||||
}
|
||||
|
||||
const secrets = getEnviromentVariablesObject(
|
||||
buildSecrets,
|
||||
application.environment.project.env,
|
||||
application.environment.env,
|
||||
);
|
||||
|
||||
const joinedSecrets = Object.entries(secrets)
|
||||
.map(([key, value]) => `${key}='${value}'`)
|
||||
.join(" ");
|
||||
|
||||
for (const key in secrets) {
|
||||
// Although buildx is smart enough to know we may be referring to an environment variable name,
|
||||
// we still make sure it doesn't fall back to `type=file`.
|
||||
// See: https://docs.docker.com/reference/cli/docker/buildx/build/#secret
|
||||
commandArgs.push("--secret", `type=env,id=${key}`);
|
||||
}
|
||||
|
||||
/*
|
||||
Do not generate an environment file when publishDirectory is specified,
|
||||
as it could be publicly exposed.
|
||||
@@ -140,7 +182,7 @@ cd ${dockerContextPath} >> ${logPath} 2>> ${logPath} || {
|
||||
exit 1;
|
||||
}
|
||||
|
||||
docker ${commandArgs.join(" ")} >> ${logPath} 2>> ${logPath} || {
|
||||
${joinedSecrets} docker ${commandArgs.join(" ")} >> ${logPath} 2>> ${logPath} || {
|
||||
echo "❌ Docker build failed" >> ${logPath};
|
||||
exit 1;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user